feat: fully finalize unicorn flavor

.github/workflows/test.yaml

@@ -60,6 +60,6 @@ jobs:
       upgrade-flavors: ${{ needs.check-flavor.outputs.upgrade-flavors }}
       flavor: ${{ matrix.flavor }}
       type: ${{ matrix.type }}
-      runsOn: uds-swf-ubuntu-big-boy-8-core
+      runsOn: uds-swf-ubuntu-big-boy-16-core
       timeout: 30
     secrets: inherit # Inherits all secrets from the parent workflow.

bundle/uds-config.yaml

@@ -12,7 +12,7 @@
     webservice_replicas: 1
     webservice_resources:
       limits:
-        memory: 2.5G
+        memory: 4G
       requests:
         cpu: 300m
         memory: 2.5G
@@ -53,3 +53,4 @@
             name: gitlab-test-bot
             namespace: test-bot
             keyName: TOKEN
+

common/zarf.yaml

@@ -19,7 +19,7 @@ components:
         namespace: gitlab
         url: https://charts.gitlab.io/
         gitPath: chart
-        version: "8.6.2"
+        version: "8.7.3"
         valuesFiles:
           - ../values/common-values.yaml
       - name: uds-gitlab-settings

tasks/test.yaml

@@ -34,7 +34,7 @@ tasks:
       - cmd: echo "uds-package-test-$(date +%s)"
         setVariables:
           - name: PROJECT_NAME
-      - cmd: rm -f ./gitlab-test-ssh-key && ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ./gitlab-test-ssh-key -P ""
+      - cmd: rm -f ./gitlab-test-ssh-key && ssh-keygen -t ecdsa -b 384 -C "[email protected]" -f ./gitlab-test-ssh-key -P ""
         dir: tests/data
       # Login, and create a project
       - cmd: |
@@ -47,7 +47,9 @@ tasks:
       # Pull the project via SSH (gateway -> gitlab-shell -> gitaly)
       - cmd: |
           mkdir -p "${PROJECT_NAME}" && cd "${PROJECT_NAME}" && git init
-          git config core.sshCommand "ssh -i ../gitlab-test-ssh-key -o StrictHostKeyChecking=no"
+          git config core.sshCommand "ssh -i ../gitlab-test-ssh-key -o StrictHostKeyChecking=no -o Ciphers=aes256-ctr \
+          -o KexAlgorithms=ecdh-sha2-nistp384 \
+          -o MACs=hmac-sha2-256"
           git remote add origin "ssh://[email protected]:2223/doug/${PROJECT_NAME}-firefox.git"
           git pull origin main
         dir: tests/data

values/common-values.yaml

@@ -148,10 +148,7 @@ gitlab:
         enabled: true
 
   migrations:
-    resources:
-      limits:
-        cpu: 500m
-        memory: 4G
+
 
   sidekiq:
     metrics:
@@ -204,6 +201,11 @@ gitlab:
       enabled: true
       serviceMonitor:
         enabled: true
+    config:
+      ciphers: ["aes128-ctr", "aes192-ctr", "aes256-ctr"]
+      kexAlgorithms: ["ecdh-sha2-nistp384", "ecdh-sha2-nistp521"]
+      macs: ["hmac-sha2-256", "hmac-sha2-512"]
+      publicKeyAlgorithms: ["ssh-rsa", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521"]
 
 certmanager:
   install: false

values/settings-unicorn-values.yaml

@@ -4,5 +4,5 @@
 global:
   kubectl:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-kubectl-fips
+      tag: 1.32.0

values/settings-upstream-values.yaml

@@ -5,4 +5,4 @@ global:
   kubectl:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
-      tag: v17.6.2
+      tag: v17.7.1

values/unicorn-values.yaml

@@ -4,76 +4,73 @@
 gitlab:
   webservice:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-webservice-ee-fips
+      tag: "17.7"
     workhorse:
-      image: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee
-      # renovate: datasource=docker depName=registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee versioning=semver
-      tag: v17.6.2
+      image: cgr.dev/du-uds-defenseunicorns/gitlab-workhorse-ee-fips
+      # renovate: datasource=docker depName=cgr.dev/du-uds-defenseunicorns/gitlab-workhorse-ee-fips versioning=semver
+      tag: "17.7"
   sidekiq:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-sidekiq-ee-fips
+      tag: "17.7"
   migrations:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-toolbox-ee-fips
+      tag: "17.7"
   gitaly:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitaly
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitaly-fips
+      tag: "17.7"
     cgroups:
       initContainer:
         image:
           repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups
-          tag: v17.6.2
+          tag: v17.7.1
   gitlab-exporter:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-exporter-fips
+      tag: "17.7"
   gitlab-pages:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-pages
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-pages-fips
+      tag: "17.7"
   gitlab-shell:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-shell-fips
+      tag: "17.7"
   praefect:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitaly
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitaly-fips
+      tag: "17.7"
   toolbox:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
-      tag: v17.6.2
-
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-toolbox-ee-fips
+      tag: "17.7"
 global:
   certificates:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/certificates
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-certificates-fips
+      tag: "17.7"
   gitlabBase:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-base-fips
+      tag: "17.7"
   kubectl:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
-      tag: v17.6.2
-
+      repository: cgr.dev/du-uds-defenseunicorns/gitlab-kubectl-fips
+      tag: 1.32.0
 registry:
   image:
-    repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry
-    tag: v17.6.2
-
+    repository: cgr.dev/du-uds-defenseunicorns/gitlab-container-registry-fips
+    tag: "17.7"
 shared-secrets:
   selfsign:
     image:
-      repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign
-      tag: v17.6.2
+      repository: cgr.dev/du-uds-defenseunicorns/cfssl-self-sign-fips
+      tag: "17.7"
 
 upgradeCheck:
   image:
-    repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base
-    tag: v17.6.2
+    repository: cgr.dev/du-uds-defenseunicorns/gitlab-base-fips
+    tag: "17.7"

values/upstream-values.yaml

@@ -5,75 +5,75 @@ gitlab:
   webservice:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee
-      tag: v17.6.2
+      tag: v17.7.1
     workhorse:
       image: registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee
       # renovate: datasource=docker depName=registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee versioning=semver
-      tag: v17.6.2
+      tag: v17.7.1
   sidekiq:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee
-      tag: v17.6.2
+      tag: v17.7.1
   migrations:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
-      tag: v17.6.2
+      tag: v17.7.1
   gitaly:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitaly
-      tag: v17.6.2
+      tag: v17.7.1
     cgroups:
       initContainer:
         image:
           repository: registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups
-          tag: v17.6.2
+          tag: v17.7.1
   gitlab-exporter:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter
-      tag: v17.6.2
+      tag: v17.7.1
   gitlab-pages:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-pages
-      tag: v17.6.2
+      tag: v17.7.1
   gitlab-shell:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell
-      tag: v17.6.2
+      tag: v17.7.1
   praefect:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitaly
-      tag: v17.6.2
+      tag: v17.7.1
   toolbox:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee
-      tag: v17.6.2
+      tag: v17.7.1
 
 global:
   certificates:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/certificates
-      tag: v17.6.2
+      tag: v17.7.1
   gitlabBase:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base
-      tag: v17.6.2
+      tag: v17.7.1
   kubectl:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/kubectl
-      tag: v17.6.2
+      tag: v17.7.1
 
 registry:
   image:
     repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry
-    tag: v17.6.2
+    tag: v17.7.1
 
 shared-secrets:
   selfsign:
     image:
       repository: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign
-      tag: v17.6.2
+      tag: v17.7.1
 
 upgradeCheck:
   image:
     repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-base
-    tag: v17.6.2
+    tag: v17.7.1

zarf.yaml

@@ -83,20 +83,20 @@ components:
         valuesFiles:
           - values/settings-upstream-values.yaml
     images:
-      - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.6.2"
+      - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.1"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.7.1"
 
  # Note: unicorn flavor is experimental
   - name: gitlab
@@ -113,18 +113,19 @@ components:
       - name: uds-gitlab-settings
         valuesFiles:
           - values/settings-unicorn-values.yaml
+          - values/settings-unicorn-values.yaml
     images:
-      - "registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-pages:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
-      - "registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter:v17.6.2"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-certificates-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/cfssl-self-sign-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitaly-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-container-registry-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-pages-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-shell-fips:17.7"
+      - "registry.gitlab.com/gitlab-org/build/cng/gitaly-init-cgroups:v17.7.1"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-sidekiq-ee-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-toolbox-ee-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-workhorse-ee-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-webservice-ee-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-kubectl-fips:1.32.0"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-base-fips:17.7"
+      - "cgr.dev/du-uds-defenseunicorns/gitlab-exporter-fips:17.7"